VA's security lessons learned

The theft in 2006 of an employee laptop that contained personal information on millions of veterans taught the Veterans Affairs Department some hard lessons. VA became “the poster child of data breaches,” saidKathryn Maginnis, the department's associate deputy assistant secretary for risk management and incident response.

As a result of that incident and several breaches that followed, the department developed a comprehensive incident response program and incident resolution team that evaluates all serious exposures of sensitive data.

“We have a culture of report, report, report,” Maginnis said at the recent FOSE conference in Washington.

The incident response program received a perfect score last year in the VA inspector general’s Federal Information Security Management Act audit, and Maginnis said she expects to get another perfect score this year.

The department developed two in-house online tools to help track and evaluate incidents, said Amanda Graves Scott, director of the incident resolution team. The Formal Event Review and Evaluation Tool uses a 56-question questionnaire to determine the risk category of a data breach, and the VA Incident Response Tracking System automates a manual tracking process for information technology incident response.

Effective incident response also requires good people and effective policy in addition to technology, said information security specialist Steve Emmons. Much of VA's program focuses on promoting policy awareness and educating employees on the need to report all exposure or improper handling of data.

The high-profile laptop theft in May 2006 had immediate and longer-term impacts. It trashed the public’s confidence in the department and led to the requirement that data on laptops be encrypted. The theft also led to a law, passed in December 2006, that requires the department to provide quarterly reports of data breaches to Congress, provide credit protection to possible victims and do independent risk assessments of serious breaches.

Other incidents highlighted additional weaknesses and corrective steps. The theft of a contractor desktop computer led to the department writing stronger security controls into its contracts, including the use of virtual private networks for communication. The theft of a hard drive with hundreds of thousands of patient records from a leased research facility showed the need to improve physical security in all locations, not just in VA facilities.

The cost of these breaches far exceeds the value of the stolen hardware. Credit protection services for a single incident can cost millions of dollars, and multimillion-dollar lawsuits are likely. VA recently settled a suit stemming from the 2006 laptop theft, agreeing to pay as much as $20 million for credit-monitoring expenses and other damages to victims of that theft, even though the computer was recovered with the data apparently intact.

“The data doesn’t even have to be misused to have a large financial settlement,” Maginnis said.

The incident response team now produces a daily report on all reported incidents, no matter how small, and meets weekly with an incident resolution team that deals with problems that are potentially more serious. It also produces a monthly summary of major incidents in addition to the mandated quarterly report to Congress.

Agencies now are required to report data breaches to their security operations centers within an hour, and the centers are required to report all serious breaches to the U.S. Computer Emergency Readiness Team in another hour. “We are the US-CERT’s largest customer, because we send everything,” Maginnis said. “In one hour, how do you know” how serious a breach is? “We do triage later.”

Maginnis advised other agencies to learn from VA’s experiences and assume that the same kinds of things will happen to them.

“Your turn will come,” she warned. “Anticipate that you will be in the paper. We don’t see any need for any of our federal brothers and sisters to go through what we went through.”

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.